APRA's view on risk appetite
Ask yourself these questions:
- Would you ever take up hang gliding?
- Would you drive a car if the seat belt was broken?
- Would you post a potentially compromising picture of yourself on Facebook
- If you were down to your last $1,000, would you bet $10 on a horse after a hot tip? $100? $1,000?
- At age 65, would you invest 25 per cent of your super fund in the share market? 50 per cent? 100 per cent? Or none at all?
- Would you jaywalk at a busy intersection to save a minute?
- Would you have a one night fling? (e.g. at a reinsurance rendezvous!)
Now the answers to these sorts of questions start to give a picture of your personal risk appetite.
It’s obvious that, consciously or otherwise, your personal risk appetite has a big influence on how you live your life.
In exactly the same way, an insurer’s risk appetite should drive how its business is run.
With your personal risk appetite, there is only one mind involved in its formulation and management — yours. With an insurer, there are many minds involved, and so articulating a clear and consistently-understood risk appetite can be a challenge! It is therefore very important that the risk appetite development is tackled systematically, and its implementation is rigorous. More on this shortly.
Over the last couple of years, APRA has set out to generate clear improvements in the articulation and management of risk appetite by CEOs and boards.
Why would we want to do that?
Before I answer that question, I will first spend some time on what risk appetite is, some of the challenges it presents, and why it is so important.
I will then explain APRA’s thinking about improved practices.
Over recent years we have seen a string of failures in financial services organizations.
There have been volumes of learned papers, newspaper articles, and opinion pieces etc., written on why this has all come about. I think we would all accept it wasn’t just bad luck, and that inadequate risk management had a significant role to play.
More specifically, was appetite for risk unclear in these businesses?
Maybe risk appetite was clear, but well beyond the capacity of the business to cope.
Or maybe the risks taken were much greater than risk appetite, for whatever reason - perhaps poor management, deliberate non-compliance, or fraud.
Whatever the reasons, risk management as a discipline is developing strongly and is now high on the agenda for most boards and CEOs.
Management and boards of all companies, but particularly in the financial services world, increasingly consider robust risk management as a fundamental capability for running the business.
In carrying out their responsibilities to protect policyholder interests, there are two major areas of focus:
- Capital management – the more capital the more protection for policyholders
- Risk management – the better the RM, the better the protection for policyholders
As I will explain, risk appetite, our topic for today, is a foundation stone for sound risk management and capital management. And so APRA sees robust risk appetite management as critical for its regulated entities.
Good governance also is fundamentally important for all of this to work effectively.
Before I go into detail, it is worth noting that there is now some quite good reference material on the general topic of risk appetite, and here is a sample.
What are we talking about?
Now what exactly is risk appetite?
The concept is often misunderstood and sometimes there is confusion between various terms such as appetite, tolerance and capacity. EY provides a good summary of relevant terms:
I draw your attention in particular to the difference between appetite and capacity, which often causes problems. While capital may be available, the company may have no desire to risk all of that capital in pursuit of its objectives.
Having said that, capacity may influence appetite. So in our earlier example of personal risk appetite, you might be more willing to invest in equities at age 65 if your super balance is particularly healthy.
The same can apply to an insurer. The more the capacity (in the form of capital) the greater the appetite may be.
The main thing here is to understand the concept of risk appetite.
Whose appetite is it?
It is worth noting that risk appetite is often looked at through the eyes of the shareholder. That’s not a great surprise given the shareholder focus of most companies.
However, financial services companies have very strong obligations to protect the interests of their customers.
APRA too is primarily interested in policyholders and depositors rather than shareholders.
So risk appetite and its management need to consider the interests of customers as well as those of shareholders.
The risk management interests of shareholders and customers are often aligned, but sometimes they are not – indeed they can be at odds with each other.
So the board and management need to explicitly consider the interests of customers in their risk appetite thinking.
How is it expressed?
It is one thing to have a risk appetite. It is another to express it clearly and unambiguously in a risk appetite statement (RAS) in a way that generates a common understanding and a consistency in risk management across the business.
In practice, risk appetite can be and is expressed in a variety of ways.
There is no established best practice here and APRA doesn’t prescribe a particular style. However, in very broad terms, there are two approaches being used.
With the first, the RAS is a fairly succinct document, with clear bounds for the major risk areas for the business. This will be partly quantitative and partly qualitative. To be effective, this sort of RAS must have clear links to risk tolerances captured in other documents. These could be standalone documents for various parts of the business, or they might be captured in broader documents such as business plans.
With the second approach, the RAS is a much longer and more comprehensive document, which provides both the high level perspective and the details of tolerances for operational purposes.
So, it can be high level, and very qualitative; it can be detailed, and include quantitative measures; or it can be a mix of both.
Over time, we may see accepted best practice evolve.
In any event, this slide gives some samples of words you might see.
common mistake is to confuse the idea of risk controls or check points with appetite. As a simple example, the appetite for breaching APRA’s capital requirements might be expressed as target capital of 1.5 times the APRA minimum. This is not a representation of appetite. Risk appetite, in this particular example, would be better expressed as a likelihood of breaching APRA’s requirements. This in turn will dictate where target capital should be pitched.
To help avoid this sort of problem, it is useful to think in terms of outcomes - that is, in considering a particular risk type, what is the worst outcome that could be considered to be acceptable. In the example I just gave, the question would be what would be an acceptable probability of breaching PCR.
This is an example of an effective approach that can be used more generally to develop and flesh out the risk appetite, and that is to have the board consider a range of challenging questions.
Here are some illustrative examples:
- How often is an underwriting loss for the company acceptable?
- What is the worst over-run in project costs that would be acceptable?
- What is the worst net loss that would be acceptable from all natural catastrophes during a year?
- How often would it be acceptable to produce an annual loss?
- How often would it be acceptable to pay no dividend?
- How does the board regard the possibility of an adverse front page story in the AFR?
And so on.
This is one way of helping achieve a common understanding of risk appetite – in effect ensuring everyone is reading from the same sheet of music.
However RA is expressed, it is necessary to translate the RA into operational measures that can be used in various parts of the business and for different types of risk.
That is, we need to translate the appetite into tolerances for day-to-day business purposes. These need to be as quantifiable and/or as measurable as possible.
Here are some sample words:
This translation from appetite to tolerances can be a challenge.
It needs to accommodate the various audiences, different parts of the business and all of the major risks.
This needs to be done in a co-ordinated and consistent way across the business.
Practical information about interpretation of appetite, tolerances adopted etc should be shared and compared across business units and across types of risk. Inconsistencies can then be addressed and tolerances adjusted.
Once there is consistency, information about tolerances etc. should be fed back to the board. The board can then satisfy itself that the tolerances being adopted are indeed consistent with what the board intended with the risk appetite.
Once up and running, experience needs to be monitored and corrective action taken.
So if, because of practical issues or changes in the economy or markets, tolerances are proving to be unworkable or too lenient for a particular business unit or type of risk, adjustments should be made to them as appropriate.
This requires sound processes and strong engagement of management throughout the business.
All of this is difficult to do well. Not only does everyone need to be reading from the same sheet of music, they also must be under the baton of a good conductor – the Chief Risk Officer (by whatever title).
Consistency with plans
Risk appetite needs to be factored into strategic plans. It makes no sense for it to be developed in isolation from strategy or vice versa. So for example, targeted return on capital must be entirely consistent with risk appetite.
Capital management plans also must reflect risk appetite. For example, it may make no sense if risk appetite is expressed as high, but supply of capital is constrained.
Let’s now look at APRA’s requirements.
APRA makes it clear that the board is primarily responsible for the risk management framework (RMF).
The risk management framework includes the risk management strategy, which must, amongst other things, set out the company’s risk appetite.
So the board is responsible for the company’s risk appetite.
As I said earlier, a well-considered, clearly-articulated risk appetite is the very foundation of sound risk management. Without this, risk management throughout the business will be carried out with unclear boundaries and expectations, on an uncertain foundation.
So setting risk appetite should be top of the risk management list for the board.
You may be aware that as part of LAGIC — APRA’s new capital requirements for the insurance industry — we are introducing the three pillar concept. To remind you:
- Pillar 1 – quantitative requirements in relation to required capital, eligible capital and liability valuations;
- Pillar 2 – the supervisory review process which may include a supervisory adjustment to capital; and
- Pillar 3 – disclosure requirements designed to encourage market discipline.
Under Pillar 2, APRA may increase the prescribed capital determined under Pillar 1 if we are of the view that this amount does not adequately account for all of an insurer’s risks or if RM is inadequate.
This diagram will help explain more:
The Prudential Capital Requirement (PCR) is the outworking of Pillar 1 and Pillar 2.
The PCR is a "hard floor" which must not be breached.
If capital does fall below PCR, the insurer needs to correct the position promptly to avoid APRA taking serious measures and potentially taking control out of the hands of the board and management.
Thus the insurer is expected to target a level of capital well in excess of PCR.
The ICAAP – the Internal Capital Adequacy Assessment Process – is a process to assess capital needs and to manage capital levels.
The insurer is expected to manage its capital according to its ICAAP and target capital policy.
In particular, we want insurers to assess their own risk profile and the capital needed to support the risks they undertake. They then should carry out appropriate capital projections and stress testing.
It is here that risk appetite comes into play.
That is, the insurer should be clear on its appetite for breaching PCR and of ultimately not being able to meet its obligations to policyholders. This needs to be considered alongside any other aspects of risk appetite such as volatility in profit.
So the target capital position, the ICAAP and risk appetite should be considered together and managed accordingly.
Note that stress testing is likely to be a very useful tool in setting risk appetite, and in developing target capital and the ICAAP.
As you can see from the diagram, the supervisory attention paid to an insurer will increase in intensity as the insurer’s actual capital approaches the PCR.
Reinsurance and risk appetite
Reinsurance plays a very important role in the implementation of risk appetite. It has the wonderful ability to both reduce risk and reduce capital needs.
This slide shows in a simple way, APRA’s minimum capital requirements for catastrophes under LAGIC (insurance concentration risk charge - ICRC). An insurer may decide that it needs to be able to withstand a $1 billion natural disaster (PML on the slide) with no more than $50 million impact (Retention on the slide) on its balance sheet. Reinsurance can help ensure that the company stays within this risk appetite. It can also be used to deal with the risk of multiple large events.
Other types of reinsurance may help produce a less volatile profit result and this again may help to avoid a breach of risk appetite.
Note that the risk appetite should dictate the reinsurance needed, and not the other way around.
Review of RA statements
In recent times, we have reviewed the risk appetite statements from a number of insurers, and spoken to CEOs and boards about the engagement of the board in the risk appetite process.
In summary, we found a range of issues, including no clear statement of risk appetite or no obvious understanding of what it actually is in concept, quality ranging from poor to quite good, and a lack of analysis using stress testing. Also, it was not always clear that the board had been sufficiently engaged in development of the risk appetite.
As a result, we decided that significant improvement was badly needed.
As a first step we developed 16 principles to use in our assessments of insurers’ practices and we published them so that institutions would be aware of how they would be assessed. The principles are quite consistent with my comments today. For example, they include checks that:
- the Board has been engaged in the development of the risk appetite and has demonstrated ownership by its approval of relevant documents;
- the risk appetite is supported by tolerances and limits, which are embedded in the business; and
- the entity’s strategic objectives and business plans are consistent with the risk appetite.
And so on.
Publishing and using these principles seems to have been an effective catalyst, and we are quite pleased with the progress that has been made across much of the insurance industry. Many of the boards we have met with more recently have been quite engaged in their risk appetite work, and improvements have been marked in the quality of the statements themselves.
Nonetheless, we are not there yet, and much work still needs to be done. Those insurers that are well advanced should continue this development work; those that have done little work to date must give the matter serious attention.
The development and management of ICAAP under LAGIC is a good reason and an ideal opportunity to give serious attention to risk appetite.
Finally, when you are next thinking about posting a compromising picture of yourself on Facebook, you might want to first consult your personal risk appetite statement!